On March 14, 2018, the Securities and Exchange Commission announced insider trading charges against Jun Ying, a former chief information officer of a US business unit of Equifax Inc. The SEC complaint alleges that Mr. Ying exercised employee stock options and disposed of the underlying Equifax shares shortly before the Company’s September 2017 announcement that it had suffered a major data breach. The complaint also follows on the heels of the Commission’s recent public statement concerning cybersecurity risk and incident disclosure, which expressly warned registrants and insiders to consider the impact of cybersecurity incidents on trading activity by insiders and insider trading policies. The SEC’s complaint against Mr. Ying is available here.

Commission Cybersecurity Guidance

As discussed in our recent client alert, available here, on February 21, 2018, the Commission issued a detailed public statement regarding public disclosure obligations with respect to cybersecurity risk and incidents. Although the Commission largely restated and supplemented (rather than replaced) the existing Division of Corporation Finance 2011 cybersecurity guidance, it also included a wholly new focus on insider trading and selective disclosure in the context of cybersecurity incidents.

Indeed, the Commission highlighted concerns that “information about a company’s cybersecurity risks and incidents may be material nonpublic information” and that therefore registrants and their insiders should be mindful of “complying with the laws related to insider trading in connection with information about cybersecurity risks and incidents, including vulnerabilities and breaches.” The Commission also explicitly encouraged registrants to consider (i) how their code of ethics and insider trading policies “take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents” as well as (ii) whether and how it may be appropriate to “implement restrictions on insider trading in their securities” in connection with cyber-related events. In the context of Regulation FD, the Commission said that it “expect[s] companies to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively . . . .” The charges against Mr. Ying demonstrate the Commission’s willingness to use undisclosed cybersecurity incidents as a predicate for insider trading charges.

Insider Trading Charges

According to the Commission, Mr. Ying, reportedly in line to become the next Equifax global Chief Information Officer, exercised all of his vested Equifax stock options and sold all of the Equifax shares resulting from those option exercises after he allegedly was entrusted with confidential information that led him to conclude that Equifax had suffered a serious cybersecurity breach, but before the Company disclosed the occurrence of that breach to the public. Mr. Ying allegedly reaped proceeds of approximately $1 million and avoided more than $117,000 in losses by trading before the Company’s public announcement. The Commission’s civil complaint charges Mr. Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, civil penalties, and injunctive relief. The US Attorney’s Office for the Northern District of Georgia announced criminal charges against Mr. Ying.

Conclusion

The charges against Mr. Ying reinforce the significance of cybersecurity risk and provide additional support for the Commission’s emphasis on appropriate conduct by those who are aware of material, non-public information related to cybersecurity incidents. As Chairman Clayton recently said, registrants should continue to “examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” Registrants should therefore consider reviewing their policies and procedures to confirm that they address disclosure obligations and the insider trading risks presented by potential cybersecurity incidents, and should consider periodic assessments of those policies and procedures to ensure that they remain up to date.